What is claimed is: 



1 1. A system for providing dynamic screening of transient messages in 

2 a distributed computing environment, comprising: 

3 an antivirus system intercepting an incoming message at a network 

4 domain boundary, the incoming message including a header comprising a 

5 plurality of address fields storing contents; 

6 a stored set of blocking rules, each blocking rule defining readily- 

7 discoverable characteristics indicative of messages infected with at least one of a 

8 computer virus, malware and bad content; 

9 a parser module identifying the contents of each address field; 

10 a comparison module checking the contents of each address field against 

!«* 11 the blocking rules to screen infected messages and identify clean messages; and 
m 12 an intermediate message queue staging each such clean message pending 

j* 13 further processing. 

f ft 

ft 

□ 1 2. A system according to Claim 1, further comprising: 

* u 2 a message receiver discarding each such infected message without further 

H 3 processing. 

fy 

\* 1 3. A system according to Claim 1, wherein each such blocking rule is 

; J 2 specified as a regular expression containing at least one of literal and wildcard 

3 values. 

1 4. A system according to Claim 1, further comprising: 

2 an antivirus scanner scanning each message in the intermediate message 

3 queue for at least one of a computer virus, malware and bad content. 

1 5. A system according to Claim 4, further comprising: 

2 an event handler performing each scanning operation as an event 

3 responsive to each such clean message staged in the intermediate message queue. 

1 6. A system according to Claim 1, further comprising: 
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2 a gateway receiving the incoming messages into the network domain 

3 boundary. 

1 7. A system according to Claim 1, wherein the structured fields 

2 comprise at least one of sender, recipient, copied recipient, blind copied recipient, 

3 date, time, and subject. 

1 8. A system according to Claim 1, wherein the incoming message 

2 comprises at least one attachment. 

1 9. A system according to Claim 1, wherein the distributed computing 

2 environment is TCP/IP-compliant and each incoming message is SMTP- 

3 compliant. 

1 10. A method for providing dynamic screening of transient messages 

2 in a distributed computing environment, comprising: 

3 intercepting an incoming message at a network domain boundary, the 

4 incoming message including a header comprising a plurality of address fields 

5 storing contents; 

6 maintaining a set of blocking rules, each blocking rule defining readily- 

7 discoverable characteristics indicative of messages infected with at least one of a 

8 computer virus, malware and bad content; 

9 identifying and checking the contents of each address field against the 

10 blocking rules to screen infected messages and identify clean messages; and 

11 staging each such clean message into an intermediate message queue 

12 pending further processing. 

1 11. A method according to Claim 10, further comprising: 

2 discarding each such infected message without further processing. 

1 12. A method according to Claim 10, further comprising: 

2 specifying each such blocking rule as a regular expression containing at 

3 least one of literal and wildcard values. 
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13. A method according to Claim 10, further comprising: 
scanning each message in the intermediate message queue for at least one 

of a computer virus, malware and bad content. 

14. A method according to Claim 13, further comprising: 
performing each scanning operation as an event responsive to each such 

clean message staged in the intermediate message queue. 

15. A method according to Claim 10, further comprising: 
receiving the incoming messages at a gateway into the network domain 

boundary. 

16. A method according to Claim 10, wherein the structured fields 
comprise at least one of sender, recipient, copied recipient, blind copied recipient, 
date, time, and subject. 

17. A method according to Claim 10, wherein the incoming message 
comprises at least one attachment. 

18. A method according to Claim 10, wherein the distributed 
computing environment is TCP/IP-compliant and each incoming message is 
SMTP-compliant. 

19. A computer-readable storage medium holding code for performing 
the method according to Claims 10, 11, 12, 13, 14, 15, 16, 17, or 18. 

20. A system for efficiently detecting computer viruses and malware at 
a network domain boundary, comprising: 

an antivirus system receiving an incoming message packet from a sending 
client at a network domain boundary through an open connection, the incoming 
message packet comprising a header including fields, which each store field 
values; 

a message receiver comprising: 
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8 a parser module parsing the field values from each field in the 

9 header of each incoming message packet by extracting tokens representing the 

10 field values; 

11 a comparison module comparing the tokens to characteristics 

12 indicative of at least one of a computer virus and malware to identify screened 

13 incoming message packets, and forwarding each screened incoming message 

14 packet. 

1 21. A system according to Claim 20, wherein each incoming message 

2 packet further comprises a body storing message content, further comprising: 

3 an antivirus scanner scanning the message content of the body of each 

4 screened incoming message packet for at least one of a computer virus and 

5 malware to identify uninfected screened incoming message packets, and 

6 forwarding each uninfected screened incoming message packet. 

1 22. A system according to Claim 20, further comprising: 

2 a message queue enqueueing each screened incoming message packet. 

1 23. A system according to Claim 20, wherein the antivirus system 

2 closes the open connection to the sending client of each non-screened incoming 

3 message packet. 



»* 1 24. A system according to Claim 20, wherein the comparison module 

2 analyzes at least one of a sender, recipient, copied recipient, blind copied 

3 recipient, date, time, and subject field in the header of each incoming message 

4 packet. 

1 25. A system according to Claim 20, wherein the comparison module 

2 applies blocking rules to the field values of the header of each incoming message 

3 packet. 

1 26. A system according to Claim 20, wherein the distributed 

2 computing environment is TCP/IP-compliant and each incoming message packet 

3 is SMTP-compliant. 
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1 27. A method for efficiently detecting computer viruses and malware 

2 at a network domain boundary, comprising: 

3 receiving an incoming message packet from a sending client at a network 

4 domain boundary through an open connection, the incoming message packet 

5 comprising a header including fields, which each store field values; 

6 parsing the field values from each field in the header of each incoming 

7 message packet by extracting tokens representing the field values; 

8 comparing the tokens to characteristics indicative of at least one of a 

9 computer virus and malware to identify screened incoming message packets; and 
10 forwarding each screened incoming message packet. 

\a 1 28. A method according to Claim 27, wherein each incoming message 

p 2 packet further comprises a body storing message content, further comprising: 

H* 3 scanning the message content of the body of each screened incoming 

IP 

Iff 4 message packet for at least one of a computer virus and malware to identify 

*S 5 uninfected screened incoming message packets; and 

* 6 forwarding each uninfected screened incoming message packet. 

iu 

1 4 1 29. A method according to Claim 27, further comprising: 

yf 2 enqueueing each screened incoming message packet onto a message 

13 

I * 3 queue. 

1 30. A method according to Claim 27, further comprising: 

2, closing the open connection to the sending client of each non-screened 

3 incoming message packet. 

1 31. A method according to Claim 27, further comprising: 

2 analyzing at least one of a sender, recipient, copied recipient, blind copied 

3 recipient, date, time, and subject field in the header of each incoming message 

4 packet. 

1 32. A method according to Claim 27, further comprising: 
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applying blocking rules to the field values of the header of each incoming 
message packet. 

33. A method according to Claim 27, wherein the distributed 
computing environment is TCP/IP-compliant and each incoming message packet 
is SMTP-compliant. 

34. A computer-readable storage medium holding code for performing 
the method according to Claims 27, 28, 29, 30, 31, 32, or 33; 



0232.01.apl 



-17- 



